Cyber Resilience

CVE-2025-54366

HighPublic PoCRCE

Published: 26 July 2025

Published
26 July 2025
Modified
11 September 2025
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0660 91.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54366 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Freescout Freescout. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

FreeScout is a lightweight open source help desk application built with PHP and the Laravel framework. Versions 1.8.185 and earlier contain a critical deserialization flaw in the /conversation/ajax endpoint. The vulnerability arises when the application processes the attachments_all and attachments POST parameters via the insecure Helper::decrypt function, which performs unsafe deserialization of attacker-controlled data without validation and is reachable by any authenticated user who knows the application's APP_KEY.

An attacker with these prerequisites can supply a crafted payload that creates arbitrary objects and manipulates their properties, resulting in remote code execution and full compromise of the web application. The issue is tracked as CWE-502 and carries a CVSS 4.0 score of 8.6 reflecting high impact on confidentiality, integrity, and availability when the required conditions are met.

The vulnerability is addressed in version 1.8.186. The project has published a security advisory and a corresponding commit that removes the unsafe deserialization path in the affected endpoint. The EPSS score remains flat at 0.0660 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the…

more

APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unsafe deserialization in a public-facing web app directly enables RCE via exploitation of the vulnerable endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-58163Same product: Freescout Freescout
CVE-2026-27636Same product: Freescout Freescout
CVE-2026-28289Same product: Freescout Freescout
CVE-2026-40496Same product: Freescout Freescout
CVE-2026-27637Same product: Freescout Freescout
CVE-2026-39384Same product: Freescout Freescout
CVE-2026-40498Same product: Freescout Freescout
CVE-2026-32754Same product: Freescout Freescout
CVE-2026-32752Same product: Freescout Freescout
CVE-2026-40497Same product: Freescout Freescout

Affected Assets

freescout
freescout
≤ 1.8.86

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely patching of the deserialization flaw fixed in FreeScout version 1.8.186 to prevent RCE exploitation.

prevent

Requires validation of user-controlled attachments_all and attachments POST parameters at the /conversation/ajax endpoint to block malicious serialized objects.

detect

Enables vulnerability scanning to identify systems affected by CVE-2025-54366 for subsequent remediation.

References